Re: [WebDNA] Stop hacking

This WebDNA talk-list message is from

2013


It keeps the original formatting.
numero = 110689
interpreted = N
texte = --001a11c29b4479074804e625bd55 Content-Type: text/plain; charset=ISO-8859-1 > Many of us placed other code to prevent this hole in the webdna pre-parse script. Can you send it to me or post here? On Wed, Sep 11, 2013 at 6:57 PM, John Butler wrote: > yes, it seems the coder was preventing the very thing I mentioned in my > last post on this thread. > > -G > > > On 2013-09-11, at 7:54 PM, Steve Graham wrote: > > This is noHack.db: > > contextName > ! > addfields > addlineitem > append > appendfile > applescript > arrayget > arrayset > authenticate > boldwords > browsername > calcfilecrc32 > capitalize > case > clearlineitems > closedatabase > command > commitdatabase > convertchars > convertwords > copyfile > copyfolder > countchars > countwords > createfolder > date > ddeconnect > ddesend > decrypt > delete > deletefile > deletefolder > dos > elapsedtime > else > encrypt > exclusivelock > filecompare > fileinfo > findstring > flushcache > flushdatabases > format > format > formvariables > founditems > freememory > function > getchars > getcookie > getmimeheader > grep > hideif > html1 > html2 > html3 > httpmethod > if > include > input > interpret > ipaddress > issecureclient > lastautonumner > lastrandom > lineitems > listchars > listcookies > listdatabases > listfields > listfiles > listmimeheaders > listpath > listvariables > listwords > lookup > lookup > loop > lowercase > math > middle > movefile > object > orderfile > password > platform > product > protect > purchase > random > raw > redirect > referrer > removehtml > removelineitem > replace > replacefounditems > return > returnraw > scope > search > sendmail > setcookie > setheader > setlineitem > setmimeheader > shell > showif > shownext > spawn > sql > sql > sqlconnect > sqldisconnect > sqlexecute > sqlinfo > sqlrelease > sqlresult > switch > table > tcpconnect > tcpsend > text > then > thisurl > time > unurl > uppercase > url > username > validcard > version > version > waitforfile > writefile > xmlnode > xmlnodes > xmlnodesattributes > xmlparse > xsl > xslt > > > On Wed, Sep 11, 2013 at 6:42 PM, Donovan Brooke wrote: > >> Steve, >> It appears the original coder was trying to stop anyone from trying a >> context in the URL... however, I'm not sure why that would be desired. We >> don't know the contents of "noHack.db" so we can't tell you exactly what >> the coder was trying to protect the site from. >> >> Donovan >> >> >> >> --- Original message --- >> *Subject:* [WebDNA] Stop hacking >> *From:* Steve Graham >> *To:* >> *Date:* Wednesday, 11/09/2013 3:53 PM >> >> I found this code in a webdna site I am fixing. Someone please say if >> this is necessary or recommended to stop hackers in v7.x or v6.2.1: >> >> [formvariables] >> [search db=noHack.db&eqcontextNamedatarq=[url][name][/url]] >> [founditems] >> [redirect /] >> [/founditems] >> [/search] >> [/formvariables] >> >> [!] include this file at the top of every page to block hacking when a >> context name appears as a formvariable name [/!] >> --------------------------------------------------------- This message is >> sent to you because you are subscribed to the mailing list < >> talk@webdna.us>. To unsubscribe, E-mail to: archives: >> http://mail.webdna.us/list/talk@webdna.us Bug Reporting: >> support@webdna.us >> >> >> --------------------------------------------------------- This message >> is sent to you because you are subscribed to the mailing list **. To >> unsubscribe, E-mail to: ** archives: >> http://mail.webdna.us/list/talk@webdna.us Bug Reporting: >> support@webdna.us > > > --------------------------------------------------------- This message is > sent to you because you are subscribed to the mailing list **. To > unsubscribe, E-mail to: ** archives: > http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us > **** > > > --------------------------------------------------------- This message is > sent to you because you are subscribed to the mailing list **. To > unsubscribe, E-mail to: ** archives: > http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us > --001a11c29b4479074804e625bd55 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
> Many of us placed other code to prevent this hol= e in the webdna pre-parse script.

Can you send it to me or pos= t here?






On Wed, Sep 11, 2013 at 6:57 PM, John Butler <govinda.webdnata= lk@gmail.com> wrote:
yes, it seems the coder was preventing = the very thing I mentioned in my last post on this thread.

-G


On 2013= -09-11, at 7:54 PM, Steve Graham <skgrahamjr@gmail.com> wrote:

This is noHack.db:

co= ntextName
!
addfields
addlineitem
append
appendfile
apple= script
arrayget
arrayset
authenticate
boldwords
browsername<= br> calcfilecrc32
capitalize
case
clearlineitems
closedatabase
command
commitdatabase
con= vertchars
convertwords
copyfile
copyfolder
countchars
countw= ords
createfolder
date
ddeconnect
ddesend
decrypt
delete<= br> deletefile
deletefolder
dos
elapsedtime
else
encrypt
excl= usivelock
filecompare
fileinfo
findstring
flushcache
flushda= tabases
format
format
formvariables
founditems
freememory function
getchars
getcookie
getmimeheader
grep
hideif
htm= l1
html2
html3
httpmethod
if
include
input
interpretipaddress
issecureclient
lastautonumner
lastrandom
lineitems<= br> listchars
listcookies
listdatabases
listfields
listfiles
lis= tmimeheaders
listpath
listvariables
listwords
lookup
lookup<= br>loop
lowercase
math
middle
movefile
object
orderfile password
platform
product
protect
purchase
random
raw
= redirect
referrer
removehtml
removelineitem
replace
replacef= ounditems
return
returnraw
scope
search
sendmail
setcooki= e
setheader
setlineitem
setmimeheader
shell
showif
shownextspawn
sql
sql
sqlconnect
sqldisconnect
sqlexecute
sqlinf= o
sqlrelease
sqlresult
switch
table
tcpconnect
tcpsend text
then
thisurl
time
unurl
uppercase
url
usernamevalidcard
version
version
waitforfile
writefile
xmlnode
= xmlnodes
xmlnodesattributes
xmlparse
xsl
xslt


On Wed, Sep 11, 2013 at 6:42 PM, Donovan= Brooke <dbrooke@webdna.us> wrote:
Steve,
It appears the original coder was trying to stop anyone from try= ing a context in the URL... however, I'm not sure why that would be des= ired. We don't know the contents of "noHack.db" so we can'= ;t tell you exactly what the coder was trying to protect the site from.

Donovan
=A0
=A0
--- Original message ---
Subject: [WebDNA] S= top hacking
From: Steve Graham <skgrahamjr@gmail.com>
To: <talk@we= bdna.us>
Date: Wednesday, 11/09/2013 3:53 PM

I found this code in a webdna site I am fixing.=A0 Someone please say if t= his is necessary or recommended to stop hackers in v7.x or v6.2.1:

[formvariables]
[search db=3DnoHack.db&eqcontextNamedatarq=3D[ur= l][name][/url]]
[founditems]
[redirect /]
[/founditems]
[/searc= h]
[/formvariables]

[!] include this file at the top of every pag= e to block hacking when a context name appears as a formvariable name [/!]<= br>
---------------------------------------------------------= This message is sent to you because you are subscribed to the mailing list= <talk@webdna.us= >. To unsubscribe, E-mail to: <talk-leave@webdna.us>archives: http://mail.webdna.u= s/list/talk@webdna.us Bug Reporting: support@webdna.us

--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: suppo= rt@webdna.us

--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: suppo= rt@webdna.us

--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: suppo= rt@webdna.us

--001a11c29b4479074804e625bd55-- Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Stop hacking (Donovan Brooke 2013)
  2. Re: [WebDNA] Stop hacking (Dan Strong 2013)
  3. Re: [WebDNA] Stop hacking (John Butler 2013)
  4. Re: [WebDNA] Stop hacking (WebDNA 2013)
  5. Re: [WebDNA] Stop hacking (John Butler 2013)
  6. Re: [WebDNA] Stop hacking (Steve Graham 2013)
  7. Re: [WebDNA] Stop hacking (John Butler 2013)
  8. Re: [WebDNA] Stop hacking (John Butler 2013)
  9. Re: [WebDNA] Stop hacking (Steve Graham 2013)
  10. Re: [WebDNA] Stop hacking (Donovan Brooke 2013)
  11. [WebDNA] Stop hacking (Steve Graham 2013)
--001a11c29b4479074804e625bd55 Content-Type: text/plain; charset=ISO-8859-1 > Many of us placed other code to prevent this hole in the webdna pre-parse script. Can you send it to me or post here? On Wed, Sep 11, 2013 at 6:57 PM, John Butler wrote: > yes, it seems the coder was preventing the very thing I mentioned in my > last post on this thread. > > -G > > > On 2013-09-11, at 7:54 PM, Steve Graham wrote: > > This is noHack.db: > > contextName > ! > addfields > addlineitem > append > appendfile > applescript > arrayget > arrayset > authenticate > boldwords > browsername > calcfilecrc32 > capitalize > case > clearlineitems > closedatabase > command > commitdatabase > convertchars > convertwords > copyfile > copyfolder > countchars > countwords > createfolder > date > ddeconnect > ddesend > decrypt > delete > deletefile > deletefolder > dos > elapsedtime > else > encrypt > exclusivelock > filecompare > fileinfo > findstring > flushcache > flushdatabases > format > format > formvariables > founditems > freememory > function > getchars > getcookie > getmimeheader > grep > hideif > html1 > html2 > html3 > httpmethod > if > include > input > interpret > ipaddress > issecureclient > lastautonumner > lastrandom > lineitems > listchars > listcookies > listdatabases > listfields > listfiles > listmimeheaders > listpath > listvariables > listwords > lookup > lookup > loop > lowercase > math > middle > movefile > object > orderfile > password > platform > product > protect > purchase > random > raw > redirect > referrer > removehtml > removelineitem > replace > replacefounditems > return > returnraw > scope > search > sendmail > setcookie > setheader > setlineitem > setmimeheader > shell > showif > shownext > spawn > sql > sql > sqlconnect > sqldisconnect > sqlexecute > sqlinfo > sqlrelease > sqlresult > switch > table > tcpconnect > tcpsend > text > then > thisurl > time > unurl > uppercase > url > username > validcard > version > version > waitforfile > writefile > xmlnode > xmlnodes > xmlnodesattributes > xmlparse > xsl > xslt > > > On Wed, Sep 11, 2013 at 6:42 PM, Donovan Brooke wrote: > >> Steve, >> It appears the original coder was trying to stop anyone from trying a >> context in the URL... however, I'm not sure why that would be desired. We >> don't know the contents of "noHack.db" so we can't tell you exactly what >> the coder was trying to protect the site from. >> >> Donovan >> >> >> >> --- Original message --- >> *Subject:* [WebDNA] Stop hacking >> *From:* Steve Graham >> *To:* >> *Date:* Wednesday, 11/09/2013 3:53 PM >> >> I found this code in a webdna site I am fixing. Someone please say if >> this is necessary or recommended to stop hackers in v7.x or v6.2.1: >> >> [formvariables] >> [search db=noHack.db&eqcontextNamedatarq=[url][name][/url]] >> [founditems] >> [redirect /] >> [/founditems] >> [/search] >> [/formvariables] >> >> [!] include this file at the top of every page to block hacking when a >> context name appears as a formvariable name [/!] >> --------------------------------------------------------- This message is >> sent to you because you are subscribed to the mailing list < >> talk@webdna.us>. To unsubscribe, E-mail to: archives: >> http://mail.webdna.us/list/talk@webdna.us Bug Reporting: >> support@webdna.us >> >> >> --------------------------------------------------------- This message >> is sent to you because you are subscribed to the mailing list **. To >> unsubscribe, E-mail to: ** archives: >> http://mail.webdna.us/list/talk@webdna.us Bug Reporting: >> support@webdna.us > > > --------------------------------------------------------- This message is > sent to you because you are subscribed to the mailing list **. To > unsubscribe, E-mail to: ** archives: > http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us > **** > > > --------------------------------------------------------- This message is > sent to you because you are subscribed to the mailing list **. To > unsubscribe, E-mail to: ** archives: > http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us > --001a11c29b4479074804e625bd55 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
> Many of us placed other code to prevent this hol= e in the webdna pre-parse script.

Can you send it to me or pos= t here?






On Wed, Sep 11, 2013 at 6:57 PM, John Butler <govinda.webdnata= lk@gmail.com> wrote:
yes, it seems the coder was preventing = the very thing I mentioned in my last post on this thread.

-G


On 2013= -09-11, at 7:54 PM, Steve Graham <skgrahamjr@gmail.com> wrote:

This is noHack.db:

co= ntextName
!
addfields
addlineitem
append
appendfile
apple= script
arrayget
arrayset
authenticate
boldwords
browsername<= br> calcfilecrc32
capitalize
case
clearlineitems
closedatabase
command
commitdatabase
con= vertchars
convertwords
copyfile
copyfolder
countchars
countw= ords
createfolder
date
ddeconnect
ddesend
decrypt
delete<= br> deletefile
deletefolder
dos
elapsedtime
else
encrypt
excl= usivelock
filecompare
fileinfo
findstring
flushcache
flushda= tabases
format
format
formvariables
founditems
freememory function
getchars
getcookie
getmimeheader
grep
hideif
htm= l1
html2
html3
httpmethod
if
include
input
interpretipaddress
issecureclient
lastautonumner
lastrandom
lineitems<= br> listchars
listcookies
listdatabases
listfields
listfiles
lis= tmimeheaders
listpath
listvariables
listwords
lookup
lookup<= br>loop
lowercase
math
middle
movefile
object
orderfile password
platform
product
protect
purchase
random
raw
= redirect
referrer
removehtml
removelineitem
replace
replacef= ounditems
return
returnraw
scope
search
sendmail
setcooki= e
setheader
setlineitem
setmimeheader
shell
showif
shownextspawn
sql
sql
sqlconnect
sqldisconnect
sqlexecute
sqlinf= o
sqlrelease
sqlresult
switch
table
tcpconnect
tcpsend text
then
thisurl
time
unurl
uppercase
url
usernamevalidcard
version
version
waitforfile
writefile
xmlnode
= xmlnodes
xmlnodesattributes
xmlparse
xsl
xslt


On Wed, Sep 11, 2013 at 6:42 PM, Donovan= Brooke <dbrooke@webdna.us> wrote:
Steve,
It appears the original coder was trying to stop anyone from try= ing a context in the URL... however, I'm not sure why that would be des= ired. We don't know the contents of "noHack.db" so we can'= ;t tell you exactly what the coder was trying to protect the site from.

Donovan
=A0
=A0
--- Original message ---
Subject: [WebDNA] S= top hacking
From: Steve Graham <skgrahamjr@gmail.com>
To: <talk@we= bdna.us>
Date: Wednesday, 11/09/2013 3:53 PM

I found this code in a webdna site I am fixing.=A0 Someone please say if t= his is necessary or recommended to stop hackers in v7.x or v6.2.1:

[formvariables]
[search db=3DnoHack.db&eqcontextNamedatarq=3D[ur= l][name][/url]]
[founditems]
[redirect /]
[/founditems]
[/searc= h]
[/formvariables]

[!] include this file at the top of every pag= e to block hacking when a context name appears as a formvariable name [/!]<= br>
---------------------------------------------------------= This message is sent to you because you are subscribed to the mailing list= <talk@webdna.us= >. To unsubscribe, E-mail to: <talk-leave@webdna.us>archives: http://mail.webdna.u= s/list/talk@webdna.us Bug Reporting: support@webdna.us

--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: suppo= rt@webdna.us

--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: suppo= rt@webdna.us

--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: suppo= rt@webdna.us

--001a11c29b4479074804e625bd55-- Steve Graham

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

[searchString] (1997) Not exercising the code as much as in other betas (2000) Threaded Discussion (1998) WebCatalog Plug-in for Webstar. (1997) Cancel Subscription (1996) Re:Share cost of training videos! (1998) CopyFile not working? (2000) [shownext] and sort (1998) changing creator codes (2000) P.S.: WebDNA Hosting? (2003) 2.0 Beta (1997) Public beta 3 of WebCatalog 4.0 is now available (2000) [WebDNA] WebDNA Code and HTML WYSIWYG Editors (2011) File Uploads... (1997) Page Breaks (1999) WebDelivery: One step closer !! (1997) NT Manual (1997) [UPPERCASE] (1997) reading a email (2000) WebCat2b12 Mac.acgi--[searchstring] bug (1997)